{"id":1406,"date":"2019-12-04T21:22:05","date_gmt":"2019-12-05T02:22:05","guid":{"rendered":"http:\/\/insurtechadvisors.com\/?page_id=1406"},"modified":"2019-12-04T21:22:05","modified_gmt":"2019-12-05T02:22:05","slug":"state-data-security-laws-2019","status":"publish","type":"page","link":"https:\/\/insurtechadvisors.com\/old\/state-data-security-laws-2019\/","title":{"rendered":"State Data Protection Laws 2019"},"content":{"rendered":"\n

2019 State-by-state data protection laws for the private sector<\/h2>\n\n\n\n
\n State<\/strong>\n <\/td> Regulation<\/strong><\/td>\n Applies to:<\/strong>\n <\/td>\n Security Measures Required<\/strong>\n <\/td><\/tr>
\n Alabama<\/strong>\n <\/td>\n 2018 S.B. 318<\/a>\n <\/td>A person, sole proprietorship, partnership, government entity, corporation, nonprofit, trust, estate, cooperative association, or other business entity that acquires or uses sensitive personally identifying information. <\/td>Implement and maintain reasonable security measures (as specified\/ detailed in statute) to protect sensitive personally identifying information against a breach of security. <\/td><\/tr>
\n Arkansas<\/strong>\n  \n <\/td>\n Ark. Code \u00a7 4-110-104(b)<\/a>\n <\/td> A person or business that acquires, owns or licenses personal information <\/td>Implement and maintain reasonable security procedures and practices appropriate to the nature of the information. <\/td><\/tr>
\n California<\/strong>\n  \n <\/td>Cal Civ. Code \u00a7\u00a01798.81.5<\/a> <\/td>A business that owns, licenses, or maintains personal information. \u00a0 Third party contractors <\/td>Implement and maintain reasonable security procedures and practices appropriate to the nature of the information. <\/td><\/tr>
\n California<\/strong>\n <\/td>Calif. Civil Code \u00a7 1798.91.04<\/a> <\/td>Manufacturers of connected devices sold in California. <\/td>Equip the device with reasonable security features that are appropriate to the nature and function of the device and the information it may collect, contain, or transmit, and that are designed to protect the device and any information it contains from unauthorized access, destruction, use, modification, or disclosure. <\/td><\/tr>
\n Colorado<\/strong>\n <\/td>Colo. Rev. Stat. \u00a7 6-1-713.5\u00a0\u00a0<\/a>(2018 H.B. 1128<\/a>) <\/td>Any entity that maintains, owns, or licenses personal identifying information in the course of the person\u2019s business or occupation. <\/td>Develop written policies for the proper disposal of personal information once such information is no longer needed. Implement and maintain reasonable security practices and procedures to protect personal identifying information from unauthorized access. <\/td><\/tr>
\n Connecticut<\/strong>\n  \n <\/td>Conn. Gen. Stat. \u00a7 38a-999b<\/a> <\/td>Any health insurer, health care center or other entity licensed to do health insurance business in the\u00a0state. <\/td>Implement and maintain a comprehensive information security program to safeguard the personal information of insureds and enrollees that is compiled or maintained by such company. <\/td><\/tr>
\n Connecticut<\/strong>\n <\/td>Conn. Gen.\u00a0Stat. \u00a7\u00a04e-70<\/a> <\/td>Contractors: an individual, business or other entity that is receiving confidential information from a state contracting agency or agent of the state pursuant to a written agreement to provide goods or services to the state. <\/td>Implement and maintain a comprehensive data-security program\u00a0(as specified\/detailed in statute)<\/strong>\u00a0including encryption of all sensitive personal data transmitted wirelessly or via a public Internet connection, or contained on portable electronic devices has to be encrypted as well. <\/td><\/tr>
\n Delaware<\/strong>\n <\/td>Del. Code \u00a7 12B-100<\/a> <\/td>Any person who conducts business in the state and owns, licenses, or maintains personal information. \u00a0 <\/td>Implement and maintain reasonable procedures and practices to prevent the unauthorized acquisition, use, modification, disclosure, or destruction of personal information collected or maintained in the regular course of business. <\/td><\/tr>
\n Florida<\/strong>\n  \n <\/td>Fla. Stat. \u00a7 501.171(2)<\/a> <\/td>Covered entities (sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity) and \u00a0 Third-party agent (entity that has been contracted to maintain, store, or process personal information on behalf of a covered entity or governmental entity). <\/td>Reasonable measures to protect and secure data in electronic form containing personal information. <\/td><\/tr>
\n Illinois<\/strong>\n <\/td>\n https:\/\/www.ilga.gov\/legislation\/ilcs\/ilcs3.asp?ActID=2702&ChapterID=67<\/a>\n <\/td>A data collector that owns or licenses, or maintains or stores but does not own or license, records that contain personal information. <\/td>Implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.\u00a0A contract for the disclosure of personal information must include a provision requiring the person to whom the information is disclosed to implement and maintain reasonable security measures. <\/td><\/tr>
\n Indiana<\/strong>\n  \n <\/td>Ind. Code \u00a7 24-4.9-3-3.5<\/a> <\/td>A database owner: a person that owns or licenses computerized data that includes personal information. <\/td>Implement and maintain reasonable procedures, including taking any appropriate corrective action. <\/td><\/tr>
\n Kansas<\/strong>\n <\/td>K.S.\u00a0\u00a7\u00a050-6,139b<\/a> <\/td>A holder of personal information: a person who, in the ordinary course of business, collects, maintains or possesses, or causes to be collected, maintained or possessed, the personal information of any other person. <\/td>Implement and maintain reasonable procedures and practices appropriate to the nature of the information, and exercise reasonable care to protect the personal information from unauthorized access, use, modification or disclosure.\u00a0 <\/td><\/tr>
\n Louisiana<\/strong>\n <\/td>La. Rev. Stat. \u00a7 3074<\/a> (2018 S.B. 361<\/a>) <\/td>Any person that conducts business in the state or that owns or licenses computerized data that includes personal information. <\/td>Implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. <\/td><\/tr>
\n Maryland<\/strong>\n <\/td>Md. Code Com Law \u00a7\u00a7 14-3501 to -3503<\/a> <\/td>A business: a sole proprietorship, partnership, corporation, association, or any other business entity, whether or not organized to operate at a profit. Business includes a financial institution\u2026 \u00a0 Non affiliated third party\/service provider <\/td>Implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information owned or licensed and the nature and size of the business and its operations. <\/td><\/tr>
\n Massachusetts<\/strong>\n <\/td>Mass. Gen. Laws\u00a0Ch. 93H \u00a7 2(a)<\/a> <\/td>Any person that owns or licenses personal information. <\/td>Authorizes regulations to ensure the security and confidentiality of customer information in a manner fully consistent with industry standards. The regulations shall take into account the person’s size, scope and type of business, resources available, amount of stored data, and the need for security and confidentiality of both consumer and employee information. See also\u00a0201 Mass. Code of Regs. 17.00-17.04<\/a> <\/td><\/tr>
\n Minnesota<\/strong>\n <\/td>Minn. Stat. \u00a7 325M.05<\/a> <\/td>Internet service providers. <\/td>Take reasonable steps to maintain the security and privacy of a consumer’s personally identifiable information. <\/td><\/tr>
\n Nebraska<\/strong>\n <\/td>Neb. Rev. Stat. \u00a7\u00a7 87-801-807\u00a0<\/a>(2018 L.B. 757<\/a>) <\/td>Any individual or commercial entity that conducts business in Nebraska and maintains personal information about Nebraska residents. <\/td>Establish and maintain reasonable security processes and practices appropriate to the nature of the personal information maintained. Ensure that all third parties to whom the entity provides sensitive personal information establish and maintain reasonable security processes and practices appropriate to the nature of the personal information maintained. <\/td><\/tr>
\n Nevada<\/strong>\n  \n <\/td>Nev. Rev. Stat. \u00a7\u00a7 603A.210, 603A.215(2)<\/a> <\/td>A data collector that maintains records which contain personal information. \u00a0 A person to whom a data collector discloses personal information. <\/td>Implement and maintain reasonable security measures<\/td><\/tr>
\n New Mexico<\/strong>\n <\/td>N.M. Stat.\u00a0\u00a7 57-12C-4, 57-12C-5\u00a0(2017 H.B. 15, Chap. 36<\/a>) \u00a0 <\/td>A person that owns or licenses personal identifying information of a New Mexico resident. <\/td>Implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, modification or disclosure. <\/td><\/tr>
\n Ohio<\/strong>\n <\/td>Ohio Rev. Stat. \u00a7 1354.01 to 1354.05<\/a> (2018 S.B. 220<\/a>) <\/td>Business or nonprofit entity, including a financial institution, that accesses, maintains, communicates, or handles personal information or restricted information. <\/td>To qualify for an affirmative defense to a cause of action alleging a failure to implement reasonable information security controls resulting in a data breach, an entity must create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information as specified (e.g., conforming to an industry recognized cybersecurity framework as listed in the act). <\/td><\/tr>
\n Oregon<\/strong>\n  \n <\/td>Or. Rev. Stat \u00a7 646A.622<\/a> <\/td>Any person that owns, maintains or otherwise possesses data that includes a consumer\u2019s personal information that is used in the course of the person\u2019s business, vocation, occupation or volunteer activities. <\/td>Develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the personal information, including disposal of the data <\/td><\/tr>
\n Rhode Island<\/strong>\n <\/td>R.I. Gen. Laws \u00a7 11-49.3-2<\/a> <\/td>A business that owns or licenses computerized unencrypted personal information. \u00a0 A non affiliated third-party contractor. <\/td>Implement and maintain a risk-based information security program with reasonable security procedures and practices appropriate to the nature of the information. \u00a0 <\/td><\/tr>
\n South Carolina<\/strong>\n <\/td>S.C. Code \u00a7 38-99-10 to -100.<\/a> (2018 H.B. 4655<\/a>) <\/td>A person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of the state (does not include a purchasing group or a risk retention group chartered and licensed in another state or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction). <\/td>Requires a licensee to develop, implement and maintain a comprehensive information security program based on the licensee\u2019s risk assessment. Establishes requirements for the security program, such as implementing an incident response plan and other details. <\/td><\/tr>
\n Texas<\/strong>\n <\/td>Tex. Bus. & Com. Code \u00a7 521.052<\/a> \u00a0 <\/td>A business or nonprofit athletic or sports association that collects or maintains sensitive personal information. (Does not apply to financial institutions) <\/td>Reasonable procedures, including taking any appropriate corrective action. <\/td><\/tr>
\n Utah<\/strong>\n  \n <\/td>Utah Code \u00a7\u00a7\u00a013-44-101<\/a>,\u00a0-201<\/a>, 301 <\/td>Any person who conducts business in the state and maintains personal information. <\/td>Implement and maintain reasonable procedures. <\/td><\/tr>
\n Vermont<\/strong>\n <\/td>9 V.S.A \u00a7 2446-2447<\/a> (2018 H.B. 764) <\/td>Data brokers-businesses that\u00a0 knowingly collect and license the personal information of consumers with whom such businesses do not have a direct relationship. <\/td>Register annually with the Secretary of State. Implement and maintain a written information security program containing administrative, technical, and physical safeguards to protect personally identifiable information. <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

(as of Nov 2019)<\/p>\n\n\n\n

(reported by the National Conference of State Legislatures)<\/p>\n","protected":false},"excerpt":{"rendered":"

2019 State-by-state data protection laws for the private sector State Regulation Applies to: Security Measures Required Alabama 2018 S.B. 318 A person, sole proprietorship, partnership, government entity, corporation, nonprofit, trust, estate, cooperative association, or other business entity that acquires or uses sensitive personally identifying information. Implement and maintain reasonable security measures (as specified\/ detailed in […]<\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":1408,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","content-type":"","footnotes":""},"class_list":["post-1406","page","type-page","status-publish","has-post-thumbnail","hentry"],"_links":{"self":[{"href":"https:\/\/insurtechadvisors.com\/old\/wp-json\/wp\/v2\/pages\/1406","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/insurtechadvisors.com\/old\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/insurtechadvisors.com\/old\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/insurtechadvisors.com\/old\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/insurtechadvisors.com\/old\/wp-json\/wp\/v2\/comments?post=1406"}],"version-history":[{"count":0,"href":"https:\/\/insurtechadvisors.com\/old\/wp-json\/wp\/v2\/pages\/1406\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/insurtechadvisors.com\/old\/wp-json\/wp\/v2\/media\/1408"}],"wp:attachment":[{"href":"https:\/\/insurtechadvisors.com\/old\/wp-json\/wp\/v2\/media?parent=1406"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}